Bulletin (SB07-344)
Vulnerability Summary for the Week of December 3, 2007
The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.
The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0
- Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9
- Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9
Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.
| High Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | APC -- Rack Power Distribution Unit APC -- OAS | The American Power Conversion (APC) AP7932 0u 30amp Switched Rack Power Distribution Unit (PDU), with rpdu 3.5.5 and aos 3.5.6, allows remote attackers to bypass authentication and obtain login access by making a login attempt while a different client is logged in, and then resubmitting the login attempt once the other client exits. |
| 7.1 | CVE-2007-6226 BUGTRAQ BID SECTRACK XF | Apple -- Quicktime | Unspecified vulnerability in Apple QuickTime 7.2 on Windows XP allows remote attackers to execute arbitrary code via unknown attack vectors, probably a different vulnerability than CVE-2007-6166. NOTE: this information is based upon a vague advisory by a vulnerability information sales organization that does not coordinate with vendors or release advisories with actionable information. A CVE has been assigned for tracking purposes, but duplicates with other CVEs are difficult to determine. However, the organization has stated that this is different than CVE-2007-6166. |
| 10.0 | CVE-2007-6238 OTHER-REF OTHER-REF BID | Apple -- Mac OS X | The accept_connections function in the virtual private network daemon (vpnd) in Apple Mac OS X 10.5 allows remote attackers to cause a denial of service (unhandled exception and daemon crash) via a crafted packet to UDP port 4112, which triggers an "arithmetic exception error." |
| 7.8 | CVE-2007-6276 MILW0RM BID XF | bcoos -- bcoos | Multiple SQL injection vulnerabilities in bcoos 1.0.10 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the gid parameter to modules/arcade/index.php in a show_stats action, or the lid parameter to (2) modules/myalbum/ratephoto.php or (3) modules/mylinks/ratelink.php, different vectors than CVE-2007-5104. |
| 7.5 | CVE-2007-6266 OTHER-REF BID SECUNIA XF | bcoos -- bcoos | SQL injection vulnerability in modules/adresses/ratefile.php in bcoos 1.0.10 and earlier allows remote attackers to execute arbitrary SQL commands via the lid parameter, a different vector than CVE-2007-????. |
| 7.5 | CVE-2007-6275 OTHER-REF SECUNIA | Beehive Forum -- Beehive Forum | SQL injection vulnerability in post.php in Beehive Forum 0.7.1 and earlier allows remote attackers to execute arbitrary SQL commands via the t_dedupe parameter. |
| 7.5 | CVE-2007-6014 BUGTRAQ OTHER-REF OTHER-REF BID SECUNIA | Beehive Forum -- Beehive Forum | Multiple unspecified vulnerabilities in Beehive Forum 0.7.1 have unknown "critical" impact and attack vectors, different issues than CVE-2007-6014. |
| 7.5 | CVE-2007-6241 OTHER-REF SECUNIA | DeluxeBB -- DeluxeBB | cp.php in DeluxeBB 1.09 does not verify that the membercookie parameter corresponds to the authenticated member during a profile update, which allows remote authenticated users to change the e-mail addresses of arbitrary accounts via a modified membercookie parameter, a different vector than CVE-2006-4078. NOTE: this can be leveraged for administrative access by requesting password-reset e-mail through a lostpw action to misc.php. |
| 9.0 | CVE-2007-6237 BUGTRAQ SECUNIA | flac -- libflac | Multiple buffer overflows in Free Lossless Audio Codec (FLAC) libFLAC before 1.2.1 allow user-assisted remote attackers to execute arbitrary code via large (1) Metadata Block Size, (2) VORBIS Comment String Size, (3) Picture Metadata MIME-TYPE Size, (4) Picture Description Size, (5) Picture Data Length, (6) Padding Length, and (7) PICTURE Metadata width and height values in a .FLAC file, which result in a heap-based overflow; and large (8) VORBIS Comment String Size Length, (9) Picture MIME-Type, (10) Picture MIME-Type URL, and (11) Picture Description Length values in a .FLAC file, which result in a stack-based overflow. NOTE: some of these issues may overlap CVE-2007-4619. |
| 9.3 | CVE-2007-6277 EEYE BUGTRAQ CERT-VN SECTRACK | flac -- libflac | Free Lossless Audio Codec (FLAC) libFLAC before 1.2.1 allows user-assisted remote attackers to force a client to download arbitrary files via the MIME-Type URL flag (-->) for the FLAC image file in a crafted .FLAC file. |
| 9.3 | CVE-2007-6278 EEYE BUGTRAQ CERT-VN SECTRACK | flac -- libflac | Multiple double-free vulnerabilities in Free Lossless Audio Codec (FLAC) libFLAC before 1.2.1 allow user-assisted remote attackers to execute arbitrary code via malformed (1) Seektable values or (2) Seektable Data Offsets in a .FLAC file. |
| 9.3 | CVE-2007-6279 EEYE BUGTRAQ CERT-VN SECTRACK | FTP Admin -- FTP Admin | index.php in FTP Admin 0.1.0 allows remote attackers to bypass authentication and obtain administrative access via a loggedin parameter with a value of true, as demonstrated by adding a user account. |
| 10.0 | CVE-2007-6234 MILW0RM SECUNIA XF | GNU -- Emacs | Buffer overflow in emacs allows attackers to have an unknown impact, as demonstrated via a vector involving the command line. |
| 10.0 | CVE-2007-6109 SUSE | Heimdal -- Heimdal | The gss_userok function in appl/ftp/ftpd/gss_userok.c in Heimdal 0.7.2 does not allocate memory for the ticketfile pointer before calling free, which allows remote attackers to have an unknown impact via an invalid username. NOTE: the vulnerability was originally reported for ftpd.c, but this is incorrect. |
| 10.0 | CVE-2007-5939 OTHER-REF | HP -- Select Identity | Unspecified vulnerability in HP Select Identity 4.01 before 4.01.012 and 4.1x before 4.13.003 allows remote attackers to obtain unspecified access via unknown vectors. |
| 10.0 | CVE-2007-6194 HP BID FRSIRT SECUNIA | Irola -- My-Time | Multiple SQL injection vulnerabilities in login.asp in Irola My-Time (aka Timesheet) 3.5 allow remote attackers to execute arbitrary SQL commands via the (1) login (aka Username) and (2) password parameters. NOTE: some of these details are obtained from third party information. |
| 7.5 | CVE-2007-6217 BUGTRAQ MILW0RM OTHER-REF FRSIRT SECUNIA | Joomla -- Joomla | Multiple SQL injection vulnerabilities in index.php in Joomla! 1.5 RC3 allow remote attackers to execute arbitrary SQL commands via (1) the view parameter to the com_content component, (2) the task parameter to the com_search component, or (3) the option parameter in a search action to the com_search component. |
| 7.5 | CVE-2007-6272 BUGTRAQ BID | Linux -- netkit_ftp | Double-free vulnerability in the getreply function in ftp.c in netkit ftp (netkit-ftp) 0.17 20040614 and later allows remote FTP servers to cause a denial of service (application crash) and possibly have unspecified other impact via some types of FTP protocol behavior. NOTE: the netkit-ftpd issue is covered by CVE-2007-????. |
| 10.0 | CVE-2007-5769 OTHER-REF OTHER-REF | Linux -- netkit_ftpd | The dataconn function in ftpd.c in netkit ftpd (netkit-ftpd) 0.17, when certain modifications to support SSL have been introduced, calls fclose on an uninitialized file stream, which allows remote attackers to cause a denial of service (daemon crash) and possibly have unspecified other impact via some types of FTP over SSL protocol behavior, as demonstrated by breaking a passive FTP DATA connection in a way that triggers an error in the server's SSL_accept function. NOTE: the netkit ftp issue is covered by CVE-2007-5769. |
| 9.3 | CVE-2007-6263 OTHER-REF | MIT -- Kerberos 5 | The reply function in ftpd.c in the gssftp ftpd in MIT Kerberos 5 (krb5) does not initialize the length variable when auth_type has a certain value, which has unknown impact and remote authenticated attack vectors. NOTE: the original disclosure misidentifies the conditions under which the uninitialized variable is used. |
| 10.0 | CVE-2007-5894 OTHER-REF | MIT -- Kerberos 5 | Use-after-free vulnerability in the gss_indicate_mechs function in lib/gssapi/mechglue/g_initialize.c in MIT Kerberos 5 (krb5) has unknown impact and attack vectors. NOTE: this might be the result of a typo in the source code. |
| 10.0 | CVE-2007-5901 OTHER-REF | MIT -- Kerberos 5 | Integer overflow in the svcauth_gss_get_principal function in lib/rpc/svc_auth_gss.c in MIT Kerberos 5 (krb5) allows remote attackers to have an unknown impact via a large length value for a GSS client name in an RPC request. |
| 10.0 | CVE-2007-5902 OTHER-REF | MIT -- Kerberos 5 | Double-free vulnerability in the gss_krb5int_make_seal_token_v3 function in lib/gssapi/krb5/k5sealv3.c in MIT Kerberos 5 (krb5) has unknown impact and attack vectors. |
| 10.0 | CVE-2007-5971 OTHER-REF | MIT -- Kerberos 5 | Double-free vulnerability in the krb5_def_store_mkey function in lib/kdb/kdb_default.c in MIT Kerberos 5 (krb5) 1.5 has unknown impact and remote authenticated attack vectors. NOTE: the free operations occur in code that stores the krb5kdc master key, and thus the attacker must have privileges to store this key. |
| 9.0 | CVE-2007-5972 OTHER-REF | Mortbay Jetty -- Jetty | Mortbay Jetty before 6.1.6rc1 does not properly handle "certain quote sequences" in HTML cookie parameters, which allows remote attackers to hijack browser sessions via unspecified vectors. |
| 7.5 | CVE-2007-5614 OTHER-REF CERT-VN | phpBB -- Garage | SQL injection vulnerability in garage.php in phpBB Garage 1.2.0 Beta3 allows remote attackers to execute arbitrary SQL commands via the make_id parameter in a search action in browse mode. |
| 7.5 | CVE-2007-6223 MILW0RM | QEMU -- QEMU | QEMU 0.9.0 allows local users of a Windows XP SP2 guest operating system to overwrite the TranslationBlock (code_gen_buffer) buffer, and probably have unspecified other impacts related to an "overflow," via certain Windows executable programs, as demonstrated by qemu-dos.com. |
| 7.2 | CVE-2007-6227 BUGTRAQ BID | Rayzz -- Rayzz Script | PHP remote file inclusion vulnerability in common/classes/class_HeaderHandler.lib.php in Rayzz Script 2.0 allows remote attackers to execute arbitrary PHP code via a URL in the CFG[site][project_path] parameter. |
| 7.5 | CVE-2007-6229 MILW0RM | Rayzz -- Rayzz Script | Directory traversal vulnerability in common/classes/class_HeaderHandler.lib.php in Rayzz Script 2.0 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the CFG[site][project_path] parameter. |
| 7.5 | CVE-2007-6230 MILW0RM | Red Hat -- Enterprise Linux AS Red Hat -- Enterprise Linux ES Red Hat -- Enterprise Linux WS Red Hat -- Desktop | Perl-Compatible Regular Expression (PCRE) library before 6.7 does not properly calculate the compiled memory allocation for regular expressions that involve a quantified "subpattern containing a named recursion or subroutine reference," which allows context-dependent attackers to cause a denial of service (error or crash). |
| 7.8 | CVE-2006-7226 OTHER-REF OTHER-REF REDHAT REDHAT | SING -- SING | Send Nasty ICMP Garbage (sing) on Debian GNU/Linux allows local users to append to arbitrary files and gain privileges via the -L (output log file) option. |
| 7.2 | CVE-2007-6211 BUGTRAQ BID | Snitz Forums 2000 -- Snitz Forums | SQL injection vulnerability in active.asp in Snitz Forums 2000 3.4.06 allows remote attackers to execute arbitrary SQL commands via the BuildTime parameter. |
| 7.5 | CVE-2007-6240 MILW0RM BID SECUNIA | Tellmatic -- Tellmatic | Multiple PHP remote file inclusion vulnerabilities in tellmatic 1.0.7 allow remote attackers to execute arbitrary PHP code via a URL in the tm_includepath parameter to (1) Classes.inc.php, (2) statistic.inc.php, (3) status.inc.php, (4) status_top_x.inc.php, or (5) libchart-1.1/libchart.php in include/. |
| 7.5 | CVE-2007-6231 MILW0RM | TuMusika Evolution -- TuMusika Evolution | TuMusika Evolution 1.7R5 allows remote attackers to obtain configuration information via a direct request to phpinfo.php, which calls the phpinfo function. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 7.8 | CVE-2007-6221 SECUNIA XF | XIGLA -- Absolute News Manager.NET | Multiple SQL injection vulnerabilities in xlaabsolutenm.aspx in Absolute News Manager.NET 5.1 allow remote attackers to execute arbitrary SQL commands via the (1) z, (2) pz, (3) ord, and (4) sort parameters. |
| 7.5 | CVE-2007-6269 BUGTRAQ OTHER-REF OTHER-REF OTHER-REF BID SECUNIA |
|---|
| Medium Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | Apache Software Foundation -- Apache | Apache HTTP Server 2.0.x and 2.2.x does not sanitize the HTTP Method specifier header from an HTTP request when it is reflected back in a "413 Request Entity Too Large" error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated via an HTTP request containing an invalid Content-length value, a similar issue to CVE-2006-3918. |
| 4.3 | CVE-2007-6203 BUGTRAQ OTHER-REF BID FRSIRT SECUNIA | Apple -- Mac OS X | Integer overflow in the load_threadstack function in the Mach-O loader (mach_loader.c) in the xnu kernel in Apple Mac OS X 10.4 through 10.5.1 allows local users to cause a denial of service (infinite loop) via a crafted Mach-O binary. |
| 4.9 | CVE-2007-6261 OTHER-REF BID FRSIRT SECUNIA | Avast -- Avast Antivirus Professional Avast -- Avast Antivirus Home | Unspecified vulnerability in avast! 4 Home and Professional Editions before 4.7.1098 allows remote attackers to have an unknown impact via a crafted TAR archive. |
| 6.8 | CVE-2007-6265 OTHER-REF BID SECUNIA | bcoos -- bcoos | Multiple cross-site scripting (XSS) vulnerabilities in modules/ecal/display.php in the Event Calendar in bcoos 1.0.10 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) day or (2) year parameter. |
| 4.3 | CVE-2007-6274 OTHER-REF BID SECUNIA XF | CRM_CTT -- Interleave | The CheckCustomerAccess function in functions.php in CRM-CTT Interleave before 4.2.0 (formerly CRM-CTT) does not properly verify user privileges, which allows remote authenticated users with the LIMITTOCUSTOMERS privilege to bypass intended access restrictions and edit non-active user settings. NOTE: some of these details are obtained from third party information. |
| 6.5 | CVE-2007-6222 OTHER-REF SECUNIA | Ext2 Filesystems Utilities -- e2fsprogs | Multiple integer overflows in libext2fs in e2fsprogs allow user-assisted remote attackers to execute arbitrary code via a crafted filesystem image. |
| 5.8 | CVE-2007-5497 SUSE | FTP -- Admin | Cross-site scripting (XSS) vulnerability in index.php in FTP Admin 0.1.0 allows remote attackers to inject arbitrary web script or HTML via the error parameter in an error page action. |
| 4.3 | CVE-2007-6232 MILW0RM SECUNIA XF | FTP Admin -- FTP Admin | Directory traversal vulnerability in index.php in FTP Admin 0.1.0 allows remote authenticated users to include and execute arbitrary local files via a .. (dot dot) in the page parameter. NOTE: in some environments, this can be leveraged for remote file inclusion by using a UNC share pathname or an ftp, ftps, or ssh2.sftp URL. |
| 4.9 | CVE-2007-6233 MILW0RM SECUNIA XF | Google -- KML | Directory traversal vulnerability in region.php in KML share 1.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the layer parameter. |
| 5.0 | CVE-2007-6212 MILW0RM | IBM -- Tivoli Netcool Security Manager | Cross-site scripting (XSS) vulnerability in IBM Tivoli Netcool Security Manager 1.3.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
| 4.3 | CVE-2007-6219 OTHER-REF FRSIRT SECTRACK SECUNIA | Intel -- PRO Wireless 3945ABG Intel -- Wireless WiFi Link 4965AGN | The iwl_set_rate function in compatible/iwl3945-base.c in iwlwifi 1.1.21 and earlier dereferences an iwl_get_hw_mode return value without checking for NULL, which might allow remote attackers to cause a denial of service (kernel panic) via unspecified vectors during module initialization. |
| 5.0 | CVE-2007-5938 OTHER-REF OTHER-REF | LearnLoop -- LearnLoop | Directory traversal vulnerability in include/file_download.php in LearnLoop 2.0 beta7 allows remote attackers to read arbitrary files via a .. (dot dot) in the sFilePath parameter. NOTE: exploitation requires that the product is configured, but has zero files in the database. |
| 4.3 | CVE-2007-6214 MILW0RM | Microsoft -- Internet Explorer | The Web Proxy Auto-Discovery (WPAD) feature in Microsoft Internet Explorer 6 and 7, when a primary DNS suffix with three or more components is configured, resolves an unqualified wpad hostname in a second-level domain outside this configured DNS domain, which allows remote WPAD servers to conduct man-in-the-middle (MITM) attacks. |
| 5.8 | CVE-2007-5355 OTHER-REF MSKB BID FRSIRT SECTRACK SECUNIA | Microsoft -- Windows Media Player | Microsoft Windows Media Player (WMP) allows remote attackers to cause a denial of service (application crash) via a certain AIFF file that triggers a divide-by-zero error, as demonstrated by kr.aiff. |
| 5.0 | CVE-2007-6236 MILW0RM BID | Mortbay Jetty -- Jetty | Cross-site scripting (XSS) vulnerability in Dump Servlet in Mortbay Jetty before 6.1.6rc1 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters and cookies. |
| 4.3 | CVE-2007-5613 OTHER-REF OTHER-REF CERT-VN | Mortbay Jetty -- Jetty | CRLF injection vulnerability in Mortbay Jetty before 6.1.6rc0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. |
| 5.0 | CVE-2007-5615 OTHER-REF CERT-VN | OpenOffice -- OpenOffice | Unspecified vulnerability in HSQLDB before 1.8.0.9 in OpenOffice.org (OOo) 2 before 2.3.1 allows user-assisted remote attackers to execute arbitrary Java code via crafted database documents. |
| 6.8 | CVE-2007-4575 OTHER-REF BID FRSIRT SECUNIA | Oracle -- Database 11g Oracle -- Database 10g | The installation process for Oracle 10g and llg uses accounts with default passwords, which allows remote attackers to obtain login access by connecting to the Listener. NOTE: at the end of the installation, if performed using the Database Configuration Assistant (DBCA), most accounts are disabled or their passwords are changed. |
| 6.8 | CVE-2007-6260 BUGTRAQ OTHER-REF OTHER-REF | Ossigeno -- CMS | Multiple PHP remote file inclusion vulnerabilities in Ossigeno CMS 2.2 pre1 allow remote attackers to execute arbitrary PHP code via a URL in the (1) level parameter to (a) install_module.php and (b) uninstall_module.php in upload/xax/admin/modules/, (c) upload/xax/admin/patch/index.php, and (d) install_module.php and (e) uninstall_module.php in upload/xax/ossigeno/admin/; and the (2) ossigeno parameter to (f) ossigeno_modules/ossigeno-catalogo/xax/ossigeno/catalogo/common.php, different vectors than CVE-2007-5234. |
| 5.0 | CVE-2007-6218 OTHER-REF BID | Perl -- PCRE | Perl-Compatible Regular Expression (PCRE) library before 6.7 allows context-dependent attackers to cause a denial of service (error or crash) via a regular expression that involves a "malformed POSIX character class", as demonstrated via an invalid character after a [[ sequence. |
| 5.0 | CVE-2006-7225 OTHER-REF OTHER-REF REDHAT REDHAT | Real -- RealPlayer | The RealNetworks RealAudioObjects.RealAudio ActiveX control in rmoc3260.dll, as shipped with RealPlayer 11, allows remote attackers to cause a denial of service (browser crash) via a certain argument to the GetSourceTransport method. |
| 5.0 | CVE-2007-6224 BUGTRAQ OTHER-REF BID XF | RealNetworks -- RealPlayer | A certain ActiveX control in RealNetworks RealPlayer 11 allows remote attackers to cause a denial of service (application crash) via a malformed .au file that triggers a divide-by-zero error. NOTE: this might be related to CVE-2007-4904. |
| 5.0 | CVE-2007-6235 BUGTRAQ MILW0RM OTHER-REF | SonicWall -- Global VPN Client | Multiple format string vulnerabilities in the configuration file in SonicWALL GLobal VPN Client 3.1.556 and 4.0.0.810 allow user-assisted remote attackers to execute arbitrary code via format string specifiers in the (1) Hostname tag or the (2) name attribute in the Connection tag. NOTE: there might not be any realistic circumstances in which this issue crosses privilege boundaries. |
| 6.8 | CVE-2007-6273 BUGTRAQ OTHER-REF BID FRSIRT SECUNIA | Squid -- Squid Web Proxy Cache | The "cache update reply processing" functionality in Squid 2.x before 2.6.STABLE17 and Squid 3.0 allows remote attackers to cause a denial of service (crash) via unknown vectors related to HTTP headers. |
| 5.0 | CVE-2007-6239 OTHER-REF OTHER-REF BID FRSIRT SECUNIA | Sun -- Solaris | Race condition in the Fibre Channel protocol (fcp) driver and Devices filesystem (devfs) in Sun Solaris 10 allows local users to cause a denial of service (system hang) via some programs that access hardware resources, as demonstrated by the (1) cfgadm and (2) format programs. |
| 4.7 | CVE-2007-6216 SUNALERT BID FRSIRT SECUNIA | Sun -- Solaris | Unspecified vulnerability in Sun Solaris 10, when 64bit mode is used on the x86 platform, allows local users in a Linux (lx) branded zone to cause a denial of service (panic) via unspecified vectors. |
| 4.9 | CVE-2007-6225 SUNALERT BID FRSIRT SECUNIA XF | typespeed -- Typespeed | typespeed before 0.6.4 allows remote attackers to cause a denial of service (application crash) via unspecified network behavior that triggers a divide-by-zero error. |
| 5.0 | CVE-2007-6220 OTHER-REF OTHER-REF BID SECUNIA | VideoLAN -- VLC Media Player | A certain ActiveX control in axvlc.dll in VideoLAN VLC 0.8.6 before 0.8.6d allows remote attackers to execute arbitrary code via crafted arguments to the (1) addTarget, (2) getVariable, or (3) setVariable function, resulting from a "bad initialized pointer," aka a "recursive plugin release vulnerability." |
| 6.8 | CVE-2007-6262 BUGTRAQ OTHER-REF OTHER-REF BID FRSIRT SECUNIA XF | Web-MeetMe -- Web-MeetMe | Multiple directory traversal vulnerabilities in play.php in Web-MeetMe 3.0.3 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) roomNo and possibly the (2) bookid parameter. |
| 5.0 | CVE-2007-6215 MILW0RM | WebED -- WebED | Multiple directory traversal vulnerabilities in mod/chat/index.php in WebED 0.0.9 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) Root and (2) Path parameters. |
| 5.0 | CVE-2007-6213 MILW0RM | XenSource Inc -- Xen | Xen 3.x, possibly before 3.1.2, when running on IA64 systems, does not check the RID value for mov_to_rr, which allows a VTi domain to read memory of other domains. |
| 5.0 | CVE-2007-6207 OTHER-REF MLIST | XIGLA -- Absolute News Manager.NET | Directory traversal vulnerability in pages/default.aspx in Absolute News Manager.NET 5.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the template parameter. |
| 5.0 | CVE-2007-6268 BUGTRAQ OTHER-REF OTHER-REF OTHER-REF BID SECUNIA | XIGLA -- Absolute News Manager.NET | Multiple cross-site scripting (XSS) vulnerabilities in Absolute News Manager.NET 5.1 allow remote attackers to inject arbitrary web script or HTML via the (1) rmore parameter to xlaabsolutenm.aspx and the (2) template parameter to pages/default.aspx. |
| 4.3 | CVE-2007-6270 BUGTRAQ OTHER-REF OTHER-REF BID SECUNIA | XIGLA -- Absolute News Manager.NET | Absolute News Manager.NET 5.1 allows remote attackers to obtain sensitive information via a direct request to getpath.aspx, which reveals the installation path in an error message. |
| 4.3 | CVE-2007-6271 BUGTRAQ OTHER-REF BID | Yahoo -- Yahoo Toolbar | Stack-based buffer overflow in the Helper class in the yt.ythelper.2 ActiveX control in Yahoo! Toolbar 1.4.1 allows remote attackers to cause a denial of service (browser crash) via a long argument to the c method. |
| 6.8 | CVE-2007-6228 FULLDISC BID XF | ZSH -- ZSH | difflog.pl in zsh 4.3.4 allows local users to overwrite arbitrary files via a symlink attack on temporary files. |
| 4.6 | CVE-2007-6209 MLIST MLIST MLIST OTHER-REF |
|---|
| Low Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | Citrix -- EdgeSight for Presentation Server Citrix -- EdgeSight for Endpoints Citrix -- EdgeSight for NetScaler | Citrix EdgeSight 4.2 and 4.5 for Presentation Server, EdgeSight 4.2 and 4.5 for Endpoints, and EdgeSight for NetScaler 1.0 and 1.1 do not properly store database credentials in configuration files, which allows local users to obtain sensitive information. |
| 2.1 | CVE-2007-6267 OTHER-REF BID FRSIRT SECUNIA | Claws Mail -- Claws Mail Tools | sylprint.pl in claws mail tools (claws-mail-tools) allows local users to overwrite arbitrary files via a symlink attack on the sylprint.[USER].[PID] temporary file. |
| 3.6 | CVE-2007-6208 OTHER-REF | Linux -- Kernel | Linux kernel 2.4.x and 2.6.x up to 2.6.24-rc3, and possibly other versions, does not change the UID of a core dump file if it exists before a root process creates a core dump in the same location, which might allow local users to obtain sensitive information. |
| 2.1 | CVE-2007-6206 OTHER-REF OTHER-REF | ZABBIX -- Zabbix_agentd | zabbix_agentd 1.1.4 in ZABBIX runs "UserParameter" scripts with gid 0, which might allow local users to gain privileges. |
| 2.1 | CVE-2007-6210 OTHER-REF |
|---|
=
This product is provided subject to this Notification and this Privacy & Use policy.
